ROPSentry: Runtime defense against ROP attacks using hardware performance counters

Abstract Return-Oriented Programming (ROP) is one of the most common techniques to exploit software vulnerabilities. However, existing defense techniques can be defeated by attackers, or suffer from high performance overhead. In this paper, we propose a defense framework, named ROPSentry, to detect ROP attacks at runtime. It is built on the observation that ROP exploits usually trigger different hardware events than normal programs generated by compilers. Hence, we leverage hardware performance counters to track such hardware events and analyze behavioral patterns of ROP attacks. ROPSentry has two approaches. The ROP-only defense approach detects ROP attacks via capturing the patterns of ROP exploits, where we propose to sample the hardware performance counters at mispredicted return events instead of at every microinstruction for a low performance overhead. To further reduce performance overhead, we propose a self-adaptive defense approach to dynamically switch between low and high sampling rates. It detects the patterns of spraying attacks (i.e., one common ROP payload delivery technique) at a low sampling rate, and then switches to a high sampling rate for detecting the patterns of ROP exploits. Our evaluation on 11 real-world ROP exploits, 50 synthetically generated ROP exploits and 1000 benign websites has shown that, the ROP-only and self-adaptive approaches are effective in detecting ROP attacks with low performance overhead (11% and 1% respectively) as well as low false positive; and they significantly outperform the state-of-the-art techniques in terms of performance overhead without losing the detection accuracy.

[1]  Angelos D. Keromytis,et al.  Transparent ROP Exploit Mitigation Using Indirect Branch Tracing , 2013, USENIX Security Symposium.

[2]  Salvatore J. Stolfo,et al.  On the feasibility of online malware detection with performance counters , 2013, ISCA.

[3]  Barton P. Miller,et al.  Detecting Code Reuse Attacks with a Model of Conformant Program Execution , 2014, ESSoS.

[4]  Xin Wu,et al.  HDROP: Detecting ROP Attacks Using Performance Monitoring Counters , 2014, ISPEC.

[5]  Xi Chen,et al.  On the detection of custom memory allocators in C binaries , 2015, Empirical Software Engineering.

[6]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[7]  Iliano Cervesato,et al.  On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters , 2017, AsiaCCS.

[8]  Ahmad-Reza Sadeghi,et al.  Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks , 2009, STC '09.

[9]  Ahmad-Reza Sadeghi,et al.  Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[11]  Xueyang Wang,et al.  SIGDROP: Signature-based ROP Detection using Hardware Performance Counters , 2016, ArXiv.

[12]  David A. Wagner,et al.  ROP is Still Dangerous: Breaking Modern Defenses , 2014, USENIX Security Symposium.

[13]  Haibo Chen,et al.  Security breaches as PMU deviation: detecting and identifying security attacks using performance counters , 2011, APSys.

[14]  David A. Patterson,et al.  Computer Organization and Design, Fifth Edition: The Hardware/Software Interface , 2013 .

[15]  Robert H. Deng,et al.  ROPecker: A Generic and Practical Approach For Defending Against ROP Attacks , 2014, NDSS.

[16]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[17]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[18]  Sebastian Hack,et al.  Learning How to Prevent Return-Oriented Programming Efficiently , 2015, ESSoS.

[19]  Ramesh Karri,et al.  Are hardware performance counters a cost effective way for integrity checking of programs , 2011, STC '11.

[20]  Davide Balzarotti,et al.  Micro-Virtualization Memory Tracing to Detect and Prevent Spraying Attacks , 2016, USENIX Security Symposium.

[21]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[22]  Battista Biggio Machine Learning under Attack: Vulnerability Exploitation and Security Measures , 2016, IH&MMSec.

[23]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.